Blogging Tools

Search all "Bits from Bill"

Tuesday, June 05, 2012

Software Code Signing Certificates. Do you care?

I always considered it important to have our program clearly defined as an authentic application. There is a value in proving a file you’re about to install on your computer comes from a reputable company like BillP Studios. This is currently accomplished through the use of a code signing certificate created specifically for BillP Studios and used during the creation of WinPatrol. Before the release of any new version I run a code signing program from Microsoft that uses two encrypted files with uniquely assigned keys to validate and identify our WinPatrol files.

The use of code signing certificate provides anyone who downloads our program proof that their download comes from BillP Studios and isn’t malware created to fool people into thinking they’re downloading WinPatrol. It also prevents any changes to our files.

When someone installs WinPatrol they currently may see this dialog providing proof that the file has been “signed” using a certificate created for BillP Studios. To obtain a code signing certificate BillP Studios must prove it’s a legitimate company. Our name, address, phone, bank account and other assets are validated by a company that is authorized to assign certificates. In our case, the “certificate authority” is VeriSign which is owned by Symantec. For a one year certificate we also have to pay a fee of $499 USD for the validation process. Since our information has remained the same over the years we’re pretty easy.

If you click on the details arrow located on the dialog above you can learn more about who created the file and read information included in their certificate.

As you can see, this particular certificate expires on June 9th, 2012. I only have a few days to decide if I will continue relying on the code certificate technology to valid WinPatrol and other programs I create

Most people don’t really pay attention to the information provided in the first dialog and in the older dialogs below most people really didn’t notice much difference. It has been a common practice to download programs which weren’t signed.

So, the question facing me this week is, should I pay $500 to Symantec so I could continue to have WinPatrol an officially signed and certified application?

On older versions of Windows and IE the difference in a signed application and one not signed wasn’t significant. Both dialogs don’t give you confidence about downloading from the internet.

This is what users would see if they downloaded the setup program for WinPatrol. How dare they suggest my file could harm someone’s computer?

If I didn’t sign our setup program the text here is actually more precise in its explanation. Most people knew what they were getting and I don’t think anyone would have been deterred by this message.

Now however, Microsoft Windows has increased their warning and made it harder to install unsigned programs.

A signed application downloaded by Internet Explorer 9 will still include a yellow warning but it’s nothing compared to the red warning that shows up if the download is not signed. There is no option to Run a non-signed program. To continue you must click on Actions which generates more fear from IE’s SmartScreen dialog. Instead of code signing Internet Explorer can also base its advice on a known “Reputation”. I’m told as a small developer the best way to maintain a good reputation is to sign your code.

The SmartScreen filter doesn’t give you any option to continue running a non-signed program unless you click on “More Options”.

Luckily, other browsers don’t scare users as much and your warning will come from the Windows User Account Control dialog. Shown above is when the WinPatrol setup is un-signed.

Here’s the friendly dialog you’ll see if a WinPatrol has been signed. I doubt many users actually click on Show Details to find out more about the Verified publisher. It might be useful if a program appears out of nowhere but since most users make a choice to download WinPatrol having it signed doesn’t really seem to be necessary. Would you see the difference and cancel a setup based on the difference in these two dialogs?

Again, I’m faced with the question of paying $500 to Symantec so I can distribute WinPatrol as a program signed using a valid certificate. Is $500 worth it for those of you who understand digital code signing? I don’t believe the concept of code signing is something users know about or understand.

As someone with an interest in cyber security my first response is to applaud Microsoft for forcing more developers to sign their code. As a developer I’m hesitant to trust code signing. I’d really rather use the $500 fee towards a new copy of Adobe Photoshop than a security certificate nobody will pay attention to.

I’ll make a decision within a couple days so I welcome your feedback. Leave your comments here or on Twitter to @BillP

Update June 8, 2012: Thank you all for providing great feedback. Comments were even more detailed than I expected. Based on well thought out advice I will continue to sign WinPatrol, its components and setup program. Most folks say they ignore code signing information but they also agree it’s respectful to WinPatrol users for BillP Studios to provide a validated WinPatrol file before they download it.

It was actually a friend working for Microsoft who pointed me to a “certificate authority” that provided a code signing certificate for $95 USD instead of the $500 I’ve been paying every year. It’s always good to shop around but in this case the difference in price for virtually the same product is amazing.

21 Comments:

Anonymous said...

I consider myself a fairly careful downloader/installer, and while I do like to see a signed certificate, I often install a program without a certificate. But I make sure I know where the program came from.So if you decide to drop the certificate it wouldn't concern me.

Bill I'm surprised that it costs $500 for one year in order to be "verified". I use Firefox instead of IE, so can (and do) install "unknown" programs without too much trouble, though of course if there's doubt about where the executable came from, I use Comodo Internet Security to scan the file first. Anyway I vote NO for spending all that money.

I'm basically an experienced user without a "geek" background. Having used your products for years, I trust you, and will continue to do so whether you sign or not. But here's my thought for what it's worth: I like the fact that you DO sign your codes. It makes me trust you even more. I'd gladly pay a little more for your products to help raise the $500 so you can keep on signing.

Agree with both the 1st Anonymous poster and MaxBlack. And though it acts like a token of trustworthiness, I still believe that it doesn't make that big difference particularly since so many developers are not using the verification and still being downloaded and thus trusted. Appearently users of your program will not lose their confidence, but perhaps someone should share some thoughts on how NEW users will react?

It's true many of us long-time users have confidence in your product and may have installed the newer releases without verifying whether it was signed or not. As for the new users, just about anything can be Googled and it would not take long for them to see the positive track record your product provides. The reviews at CNET, MajorGeeks, etc speak for themselves. Bottom line, I think it is an unneeded expense.... Duke

Bill, ditch VeriSign and their rip-off pricing.You may want to think about establishing some check sum system so we can verify the correctnes of what we have downloaded.Having said that I admit that I hardly ever have tested check sums if they were offered.I rather download only from "trusted" sources. I am using Windows since it's very inception and so far have done well this way.

Appreciate Code Signing Certificates especially when used by companies that are in the Software Security business.

The Certificate Authority you have used, however, seems (too) expensive. Please consider using another CA.

Some of the SW Vendors I value highly due to their awesome freeware products, use, e.g. COMODO Code Signing Certificates. The price of them would seem to be only a fraction of the cost you mention in your blog.

While I would be very pleased to have you comment and back up your statements you'd be welcome to identify yourself as a Symantec employee. I have no problems with VeriSign and I've met some bright people from Symantec.

By posting this information without acknowledging the source is an insult to my readers and makes your company seem a bit pitiful.

I know how to read access logs and it's not like I get that many comments. The kind of company that has to troll blogs posting anonymously isn't the image I had for Symantec.

Next time, please acknowledge you're a company rep. Your post will come across a lot more credible.

Hi, I’m the Global Social Media Strategist for Symantec and I wanted to clarify that the comment referenced in the blog post was not part of any official or sanctioned outreach from Symantec’s marketing efforts.

Symantec fully supports the principle of transparency, and the company’s social media policy requires that employees identify themselves as employees when posting on topics related to Symantec or Symantec’s products and services. We take this very seriously.

Many thanks to you for bringing this issue to our attention and promoting transparency in the online space.

Its all in clarification of Code Signing Certificate security and its technical specification. I got my all issues answers in order to compose an tutorial article for code signing certificate. We really appreciate your efforts.